Most online (webserver) applications are not built to ensure protection of personal information. Several regulatory bodies, for example the European Union, are drafting regulations to require online service providers to explicitly ask users for the users' consent for use of the users' information. See, for example, “Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data,” European Commission (Jan. 25, 2012).
The privacy-by-design approach is a generic software engineering principle stating that in development of an online service, the protection of private data is to be considered as a feature from its initial design to implementation. In particular, the proposed EU regulation requires assuming that, when the privacy feature is not considered, data protection must be guaranteed at the most restrictive requirement possible, i.e., there should be no use of the data. This requirement is known as privacy by default. In other words, every record of the application containing information about a person is considered as private and cannot be communicated or used without explicit authorization of the owner of the data. This extreme requirement makes existing online businesses difficult to conduct since the existing software infrastructure often has not been developed with privacy guarantees in place.
In addition, the designers and implementers of new online services must learn and master yet another field of endeavor—data security. Methods and systems for integrating privacy requirements into existing applications and for reducing the programming burden of including privacy requirements into new applications are needed.